diff options
| author | 2026-04-04 01:41:38 +0100 | |
|---|---|---|
| committer | 2026-04-04 01:51:38 +0100 | |
| commit | 3d150ba5da604569f075b20cc560e7d04aeac993 (patch) | |
| tree | 632d544c28d261424aab96c276494fba05b9c800 /modules/spanningtree/server.cpp | |
| parent | Fix determining if a TLS certificate is usable. (diff) | |
| download | inspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.tar.gz inspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.tar.bz2 inspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.zip | |
Tighten up the TLS requirements for server links.
Servers must now either provide a fingerprint in the link config or provide a
valid certificate. There's an undocumented (for now) opt-out in the config but
even with this set it still doesn't allow expired, revoked, or otherwise invalid
certificates.
Diffstat (limited to 'modules/spanningtree/server.cpp')
| -rw-r--r-- | modules/spanningtree/server.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/modules/spanningtree/server.cpp b/modules/spanningtree/server.cpp index 7c6c08544..6199673ae 100644 --- a/modules/spanningtree/server.cpp +++ b/modules/spanningtree/server.cpp @@ -141,19 +141,26 @@ std::shared_ptr<Link> TreeSocket::AuthRemote(const CommandBase::Params& params) if (!ComparePass(*x, password)) { - ServerInstance->SNO.WriteToSnoMask('l', "Invalid password on link: {}", x->Name); + ServerInstance->SNO.WriteToSnoMask('l', "Invalid credentials on link: {}", x->Name); continue; } - if (!CheckDuplicate(sname, sid)) + auto* hook = TLS::GetHook(this); + if (hook && !hook->GetCertificate()->IsUsable(!x->AllowSelfSigned)) + { + this->SendError("Peer provided an unusable (probably self-signed) TLS certificate"); return nullptr; + } - if (TLS::GetHook(this) && !IsLocalRange(capab->remotesa)) + if (!hook && !IsLocalRange(capab->remotesa)) { - this->SendError("Non-local server connections MUST be linked with SSL!"); + this->SendError("Non-local server connections MUST be linked with TLS"); return nullptr; } + if (!CheckDuplicate(sname, sid)) + return nullptr; + ServerInstance->SNO.WriteToSnoMask('l', "Verified server connection " + linkID + " ("+description+")"); return x; } |
